236880 – [PATCH] Fix NULL bio crash in loop worker thread

Bug 236880 - [PATCH] Fix NULL bio crash in loop worker thread

Summary: [PATCH] Fix NULL bio crash in loop worker thread

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Eric Sandeen
QA Contact:	Martin Jenner
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	280861 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2007-04-18 08:21 UTC by Alexey Dobriyan
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHBA-2007-0959
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-11-07 19:47:07 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
[PATCH] Fix NULL bio crash in loop worker thread (545 bytes, patch) 2007-04-18 08:21 UTC, Alexey Dobriyan	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0959	0	normal	SHIPPED_LIVE	Updated kernel packages for Red Hat Enterprise Linux 5 Update 1	2007-11-08 00:47:37 UTC

Description Alexey Dobriyan 2007-04-18 08:21:43 UTC

Description of problem:

After LOOP_SET_FD/LOOP_CLR_FD combo loop device's queue gets request
handler which is persistent.

After, say

        mount -t iso9660 /dev/loop0 /mnt        # sic

this request handler is called directly with
a) ->lo_state being Lo_unbound
b) ->lo_pending being zero

Error path in loop_make_request() completes ->lo_bh_done completion
which is persistent as well.

Now, let's start worker thread as usual. It'll set ->lo_pending to 1,
don't wait for completion because it was already completed (brokenly),
and will not get out of infinite loop because of ->lo_pending. Loop
device doesn't have bios at this point and triggers BUG_ON.

So, don't complete ->lo_bh_done when loop device isn't setup fully.

How reproducible: always
Steps to Reproduce:

#!/bin/sh -x
ISO=1.iso
mount -o loop $ISO /mnt
umount /mnt
mount -t iso9660 /dev/loop0 /mnt        # sic
mount -o loop $ISO /mnt
  
Actual results: BUG_ON(!bio); in loop_thread triggers

Comment 1 Alexey Dobriyan 2007-04-18 08:21:44 UTC

Created attachment 152879 [details]
[PATCH] Fix NULL bio crash in loop worker thread

Comment 2 Eric Sandeen 2007-05-31 21:27:52 UTC

Alexey, has this been sent upstream to lkml?

Comment 3 Alexey Dobriyan 2007-06-01 07:01:02 UTC

It wasn't sent because bug was accidently fixed during kthread conversion.
See commit 6c9979185c7ef4feeb7f8d29be032b8f032a1838.
Probably, I should sent it to Adrian Bunk...

Comment 4 Eric Sandeen 2007-06-01 14:06:26 UTC

Thanks Alexey.

-Eric

Comment 5 Eric Sandeen 2007-06-04 19:10:07 UTC

I see this was sent up for Adrian's tree at http://lkml.org/lkml/2007/6/1/45

Comment 7 RHEL Program Management 2007-06-12 19:59:13 UTC

This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.

Comment 8 Don Zickus 2007-06-16 00:31:52 UTC

in 2.6.18-27.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 10 Michal Schmidt 2007-09-25 13:39:09 UTC

*** Bug 280861 has been marked as a duplicate of this bug. ***

Comment 12 errata-xmlrpc 2007-11-07 19:47:07 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0959.html

Note You need to log in before you can comment on or make changes to this bug.